Skip Navigation

xoron

@ xoron @programming.dev

Posts
89
Comments
138
Joined
2 yr. ago

  • Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone

    Jump

  • I'd like to be clear that docs are the best I can offer, but feel free to ask for clarity on the details and I can try explain it better.

  • We can't just call AI-generated code slop anymore

    Jump

  • hi. sorry for the delay on replying to this. i overlooked it in the thick of messages i got on that post.

    your points about focus is entirely valid. which make me more reluctant to show the size of the project.

    i put a great deal of time and attention on the cryptography aspects, because that's a core details i wanted to iron-out... the wider project is more like a nextcloud clone.

    the lack of focus you eluded to is correct, and it wont inspire you to realise its at a bigger scale than you might think. im working towards something more comprehensive in capabilities.

    if i havent lost your trust and interest on the project, it would be great to get feedback on https://enkrypted.chat/ (the final-ish form of the messaging app)

  • Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone

    Jump

  • thanks for your feedback there. id like to share my thoughts and observations on your points.

    its a great personal shame for me to go in the close-source direction. those links to the open source repos, will remain open source because its demonstrates the unique concept around how it work. if people are interested in how it works and dont want to trust me (and you shouldnt!)... the open source repositories demo the functionality and also have a reasonable ampount of documentation around it. i had deluded myself that if i opensource something unique like this, i would be able to get open-source funding. i have no experience in the matter, i was just working on a sideproject to begin with (and its arguably still a sideproject). i put focus on transparency, communication and documentation. the project still gets called a scam/slop whether is open/close source.

    the app itself is pure client-side javascript so i dont see how i can offer a managed service.

    while i have a "decent" amount of documentation on the project, i dont expect most people to take a look. that was all intended for transparency when seeking open source funding. open source cybersecurity seems prohibitively expensive wheather you're big-tech or not. my personal experience in seeking an audit: https://www.reddit.com/r/CyberSecurityAdvice/comments/1su8lir/security_audit_feedback_from_radically_open

    id like to put things into perspective here:

    As others have pointed out privacy without transparency (in the way of making the underlying code open source) isnt a guarantee of privacy its a weak promise at best

    https://github.com/positive-intentions/chat the core concept is demonstrated here. its a full functional p2p messaging with focus on client-side cryptography. i'll be keeping it open source. the key different is that the open source version doesnt have as nice a user experience... if a nice user experience make all the difference, then i dont think people are looking at it objectively.

    removing openness in its entirety isn’t a solution privacy focused people will accept

    i agree; and just to be clear im not removing openness in its entirety. its open-source to demonstrate how it works. if you want a secure open-source p2p encrypted messaging... you have that... it simply isnt going to be the best experience i can offer. if you want to fork the repo and try iron-out the creases yourself? be my guest (its pretty complicated, so feel free to reachout for clarity). perhaps im being naive, but i dont think any amount of vibecoding is going to make the open-source version competative to the close-source version.

    marketing

    this is very difficult for me. no idea what im doing in marketing and my candid communication doesnt seem well recieved. especially in the cryptography and cybersecurity communities. no idea how to do marketing beyond posting on reddit and lemmy. i have been spending most of my time in improving the project and i can do that forever... but i shouldnt. its something i need to work on.

    i think i have offered a great deal of transparency, honesty and communication about how the app works. i expect it will be tough to sell "secure, but paid for messaging app", but it seems the only logical option. this isnt my first rodeo; open-source is not a gamble that will pay off.

  • Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone

    Jump

  • "testing and demo purposes only"

    the code and docs are provided so you dont need to trust me.

  • Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone

    Jump

  • I know! I tried everything I could think of.

  • Privacy @lemmy.world
    xoron @programming.dev

    Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone

  • We can't just call AI-generated code slop anymore

    Jump

  • so now youre saying AI psychosis is a serious thing we dont understand... but you seem to be convinced that youre qualified to diagnose it?

    unlike many others responding to this threat. you've seen my work and even linked a omprehensive post of how my project works. your pushback here doesnt contain any substance. you can call AI psychosis so you can avoid giving the project actual attention.

    ultimately i dont think my project is interesting to you. if im seen as an annoying lemmy user/troll, i encrourage you to block me.

  • We can't just call AI-generated code slop anymore

    Jump

  • i try to be sensitive toward that. but if we have such rulesa against AI-slop, we have to be able to distinguish between low-effort AI and high-effort AI... thats what isnt occuring.

    i created a sub for my project here: https://www.reddit.com/r/positive_intentions

    while its great for posting updates for those that follow my progress, it hardly has reach compared to other subs. its especially useful to ask in established subs when i have technical questions... like in the sub that got me banned. i dont think im sharing AI-slop and there doesnt seem to be an objective analysis because AI is the latest trent and people already have strong opinions on it.

  • We can't just call AI-generated code slop anymore

    Jump

  • the only project relevent here is: https://positive-intentions.com/

    the parts i want open source are on github. my project wasnt always open source. i created this without AI agents. then i open sourced it thinking it would gain more trust with users... and it did, but a key observation is that there are folks like yourself that will never be satisfied. if open source code, docs and my communication isnt enough... i have no delusuion that identifying myself would benefit the project in any way... its simply a vector by which people will highlight why im not qualified to work on the project.

    critisism in cybersec is common and expected. my ideas should be challenged. but the code is right there. feel free to ignore any details you think might not be up to your quality standard. you linked my previsous post which is more technical about how my app works. you can ask for further clarity on those details.... but your critisism on previous posts suggest to me, that you dont actually want clarity because you alrealy already have the references to find out more.

    the project is enjoyable for me. its why i still work on it. would it be wild for me to want to make money from it? im trying to be more transparent about my process. the post here highlight my AI usage and how im using it to create high-effort work. "high-effort" is hardly quantifyable, but i see many reponses are along the lines that "AI cant be trusted to do things perfectly"... as if i dont also agree to that. you linked my previsous post which i would hope made it clear that my AI prompt wasnt "create me a messaging app".

    a key and worrying observation is that mentioning that i use AI is the only thing that makes a different in feedback about the project (as per the subject of this post). you can see that in my previous post was significantly better recieved compared to this current post. that is the project where im using AI.... because duh! it is a game changer.

    the point im making on the OP still stands that people cant see past my project after i mention i used an AI. human effort has never been easy to quantify... the best you got is storypoints and thats hardly meaningful.

  • We can't just call AI-generated code slop anymore

    Jump

  • hi. thanks for taking a look. sorry for the delay in responding, i wanted the heat on this post to settle down a bit.

    i originally started with src, but then when it some to formal verification and proofs, i came to the conclusions that you cant simply point it to a single folder are various functions are better separated to make it easier to document.

    unlike the formal verification with tools like hax, formal proofs are loosely related to the code. there isnt a direct relation too the proverif files and the code itself. if i change the code, i should also adjust the proverif. i documented it on the website to help me keep track of the functionality.

    https://positive-intentions.com/docs/technical/signal-protocol-formal-verification/proverif https://www.reddit.com/r/cryptography/comments/1evdby4/comment/liwyn3o/

    regarding how the cryptography is loaded, im using module federation. the signal protocol is imported into the cryptography modules (so the app doesnt need to load the signal protocol project explicitly). that cryptography modules is itself loaded into the p2p-framework repository so that i can automate the handling of p2p authentication.

    that AI audit as critical as it is of my implementation is the best source of truth for my project. there is simply not going to be a third-party audit and so it is intended to be objective, but i think i signpost enough that its AI generated. i need to clean up the exclamation marks and emoji's, but the information there should all be correct.

    there are indeed a lot of debug messages logged. its worth repeating the project is still a work in progress and far from finished., im sharing it now at this point because it seems like a reasonable state. i understand people can have high expectations around perfection,... this is not that kind of project. perfection would be a waste of my time at this stage in the project.

    the CSP headers there are all deliberate to support things like gifs and simpleanalytics. ther could do with a bit of a clean up and taking ownership of things like fonts.... its been on the todo-list for a while but i didnt proritise it. thanks for raising it... i'll see about cleaning it up.

    the hax extraction is doing the abstraction to axioms and you right that the axions arent proven... this is something im actively investigating.

    thanks for your time and attention on the project. sorry if ive misled you to belive the project is more mature than it is.... its is however a genuine attempt to create something safe and secure.

  • We can't just call AI-generated code slop anymore

    Jump

  • This generally seems to elude to my due-diligence. And if it's low effort AI.

    It's skepticism that has me put attention towards docs and various details.

    For example: I tried to get a security audit. I can't get one for free, so I created one with AI. I'd like to be clear that I understand how my apps works and am able to articulate it to the best of my ability to AI to generate the security audit. I was exhausted from the experience of creating the audit with AI and it provides me with good information and advice. I stand by the feedback there isn't it isn't ready for production.

    In all my posts on all platforms Im sure to mention that it isn't production-ready. (The same for the repos on GitHub)... But the general aim is to create something secure.

  • We can't just call AI-generated code slop anymore

    Jump

  • here is the open source version i created with out AI: https://github.com/positive-intentions/chat

    its faily ugly and not user friendly, but the core mechanics of secure encrypted communication is demonstrated and documented. it was clear after creating that version, open source was worthless. with or without AI, slop has always been around.... for better or worse, i was creating slop before it was cool.

    i then created the newer version of the messaging app with AI (it isnt fully open source but works in a similar way): https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story

    having done it manually and then with AI, i can clearly compare why the close source version is more appealing to users. its not just a nicer UI, its better documented.

    youre making assumptions that if i didnt have AI, i wouldnt be able to work on my project. im naive enough to think that isnt true. the documentation and code might not be to the same quality, but im sure i can still crank out code the old-fashioned way.

  • We can't just call AI-generated code slop anymore

    Jump

  • We can't just call AI-generated code slop anymore

    Jump

  • wow thats deep analysis and advice. i generally think i do well.

    i work on my project and cryptography because its interesting. i worked with cryptography long before AI... but like a "regular" developer on a sideproject, im going to use AI.

    i actively seek advice about the code in my project. i only share my work after ive put what i think is enough time and effort. it clearly isnt enough that the project "works". in cybersec its important for code to be audited or reviewed, that fundamentally isnt an option on a project like mine unless i share something that is described as "AI-slop". that feedback is fine. it's important that its open source.

    it might not be fun for most, but this is something i work on because its enjoyable to me. its open source for transparency and critisism. i just want to take "AI" as a critisism, off the table because i cant quantify my involvement... which is a understandably wild thing to ask so i try to approach it with caution.

    i work on several project that interest me. many but not all are open source. they exist because i woke up some day and decided i wanted to create something.

  • We can't just call AI-generated code slop anymore

    Jump

  • your right. my version of what your describing exists here: https://github.com/positive-intentions/chat

    not AI slop, but slop of a different kind. purely a webpp and uses audited crypto primitives from the browser. webrtc is already encrypted, but there is a diffie-helman key exchange (you can share public key hashes to guard againt mitm sttacks). i put time and effort there and documented it to seek some kind of open source support. it didnt work out.

    my plan was always to beef up the encryption. i wanted to add the signal protocol. i asked on eddit and i couldnt find something suitable.

    https://www.reddit.com/r/crypto/comments/1mi4ooa/looking_for_the_signal_protocol_in_javascript

    i can ue AI to sweat it out myself: https://www.reddit.com/r/signal/comments/1orsjw2/signal_protocol_in_javascript

    there is a great deal of effort that i simply cant quantify.

  • We can't just call AI-generated code slop anymore

    Jump

  • i stated off with a version i created manually without AI. i know how to do this old-school (i tried). that was a different kind of slop.

    https://github.com/positive-intentions/chat

    i use AI in a way i think is appropriate. i check as much as i can myself too. i post online about details and questions. i can iterate with AI. im may naive to think i know how to inpect what is created, so i share it online. im not sharing slop. this is the best i can do. of couse there are countless points of improvement, but there are only so many hours in the day.

    youre sharing a valid opinion, but its difficult for me to quantify my efforts. im sure you dont think i just asked AI something basic (e.g. "verify this code is correct").

  • We can't just call AI-generated code slop anymore

    Jump

  • We can't just call AI-generated code slop anymore

    Jump

  • We can't just call AI-generated code slop anymore

    Jump

  • Most I want is transparency.

    i agree with all youre saying. especially this which is why i entertain the idea of open source at all. what does transparency look like to you? code? documentation? open discussion? transparency is undermined when im trying to talk about something clearly complicated in order to seek feedback.

    cryptography code… Isn’t that a bit dangerous?

    in software dev we have thing like unit test (you already know that)... but when diving into cryptography we have formals proofs and verification we can use. it doesnt need AI to extract abstraction from the code implementation to run verification on. the tooking there is common practice and if we question if AI is doing it ptoperly we bring into question if the tooling used is good enough.

    • security audit
    • unit tests
    • formal proof
    • formal verification
    • documentation

    individually, they are all easily AI slop. but combined i hope it can serve as a starting point for a proper review. i dont mean a proper review from you either... im was seeking a review from orgs that specialise in such review.

    https://www.reddit.com/r/CyberSecurityAdvice/comments/1su8lir/security_audit_feedback_from_radically_open

    you make a lot of assumptions about how i code and what i understand about my project. enumerating what ive done and plan to do wouldnt do it any justice... but i will say this project is the result of a long-term effort. i created the project without AI originally. the idea is unique around client-managed cryptography (https://github.com/positive-intentions/chat).... ultimately it was clear that open-source is dead and so ive started introducing less transparency in the project as i introduce a close-source UI. i still keep the cryptography related modules open for transparency (whatever thats worth when people see that AI was involved).

    i wouldnt put my project out there if i didnt have faith in the implementation. i have actively seeked feedback and recieved good advice from which i iterated and improved. particularly concerning if im being banned from from communities for posting slop.

  • We can't just call AI-generated code slop anymore

    Jump

  • i vibecode a lot of things. my project is not inherently dangerous. people can use any software irresponsible. in my project and all my communications about it, i make it clear to users to use it cautiously and that its presented for testing and demo purpose. its mentioned in all of my post and i also have terms and condition within my projects the explain as much.

    nobody is being tricked into sharing sensitive information... in fact i made a proactive attempt to create something that doesnt need any personal information.

    dont tell me what i should and shouldnt be coding. i put time and effort into testing and verifying. this is the issue about mentioning AI is that it undermines all other efforts. its the low-hanging-fruit of critisism.

  • Programming @programming.dev
    xoron @programming.dev

    We can't just call AI-generated code slop anymore

  • DevOps @programming.dev
    xoron @programming.dev

    Multi Vendor Deployment with Infrastructure as Code

  • Cybersecurity @sh.itjust.works
    xoron @programming.dev

    P2P WhatsApp Clone – No Setup or Signup

  • Opensource @programming.dev
    xoron @programming.dev

    What are my options for a securit audit for my FOSS project?

  • Web Development @programming.dev
    xoron @programming.dev

    JSX for Web Components

  • JavaScript @programming.dev
    xoron @programming.dev

    JSX for Web Components

  • Programming @programming.dev
    xoron @programming.dev

    JSX for Web Components

  • JavaScript @programming.dev
    xoron @programming.dev

    WhatsApp Clone – No Setup or Signup

    positive-intentions.com
  • Privacy @programming.dev
    xoron @programming.dev

    Signal Protocol for a Web-Based Messenger

  • The Signal messenger and protocol. @lemmy.ml
    xoron @programming.dev

    Signal Protocol for a P2P PWA

  • Rust @programming.dev
    xoron @programming.dev

    Signal Protocol in Rust for Frontend Javascript

  • Cybersecurity @sh.itjust.works
    xoron @programming.dev

    SimpleX Clone - No Setup or Signup

  • Programming @programming.dev
    xoron @programming.dev

    Decentralized Microfrontend Module Federation Architecture

  • JavaScript @programming.dev
    xoron @programming.dev

    WhatsApp Clone... But Decentralized and P2P Encrypted Without Install or Signup

  • Web Development @programming.dev
    xoron @programming.dev

    WhatsApp Clone... But Decentralized and P2P Encrypted Without Install or Signup

  • Programming @programming.dev
    xoron @programming.dev

    Quantum-Resistant Encryption in JavaScript

  • Cybersecurity @sh.itjust.works
    xoron @programming.dev

    WhatsApp Clone... But Decentralized and P2P Encrypted Without Install or Signup

  • Privacy @programming.dev
    xoron @programming.dev

    WhatsApp Clone... But Decentralized and P2P Encrypted Without Install or Signup

  • Cybersecurity @sh.itjust.works
    xoron @programming.dev

    WebRTC and Onion Routing Question